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Patent 

Attorney's Docket No. 032326-136 
IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re Patent Application of 

Pascal COOREMAN 

Application No.: Unassigned 

Filed: May 11, 2001 

For: AUTHENTICATING METHOD 

BETWEEN A SMART CARD AND 
A TERMINAL 



Group Art Unit: Unassigned 
Examiner: Unassigned 



PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Prior to examination and the calculation of filing fees, kindly amend the above- 
identified application as follows: 



IN THE SPECIFICATION: 

Page 1, immediately following the title appearing on lines 1 and 2, insert the 
following: 

-This disclosure is based upon, and claims priority from French Application No. 
98/14224, filed on November 12, 1998 and International Application No. 
PCT/FR99/02692, filed November 4, 1999, which was published on May 25, 2000 in a 
language other than English, the contents of which are incorporated herein by reference. 
Background of the Invention — 
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Page 2, between lines 7 and 8, insert the following heading: 
- Summary of the Invention -. 

Page 3, between lines 25 and 26, insert the following heading: 
- Brief Description of the Drawings -- . 

Page 4, between lines 5 and 6, insert the following heading: 
- Detailed Description - 

TN THE CLAIMS: 

Kindly replace claims 1-13, as follows. 

1. (Amended) An authenticating method between a memory chip card having at 
least one counter and a terminal, comprising the following steps: 

(a) inserting the memory chip card into the terminal, 

(b) calculating, in the terminal, a secret code CSQ according to a cryptographic 
function F of a number of variables comprising at least a code CSN identifying the memory 
chip card and the value of said counter, 

(c) authenticating the terminal by the card when the calculated secret code CSQ is 
identical to a code CSC 0 recorded in a memory of the card at the end of a previous 
authentication operation, 

(d) carrying out a desired transaction and modifying the value of said counter, 
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(e) calculating, in the terminal, a new secret code CSC 2 according to the 
cryptographic function F of the code CSN identifying the memory chip card and the new 
value of said counter, 

(f) updating the memory chip card for the next transaction by recording, in said 
memory, the new secret code CSC 2 calculated by the operation (e). 

2. (Amended) A method according to Claim 1, further including the following 
steps between the steps (c) and (d): 

(x) calculating, in the terminal, an authentication certificate CA 1 according to a 
cryptographic function G of a number of variables comprising at least the code CSN 
identifying the memory chip card and the value of the counter, 

(y) authenticating the card by the terminal when the calculated authentication 
certificate CA t is identical to a certificate CA 0 calculated and recorded at the end of the 
previous transaction, 

and wherein step (e) is supplemented by the step of 

(e') calculating, in the terminal, a new authentication certificate CA 2 according to 
the cryptographic function G of the code CSN identifying the memory chip card and the 
new value of said counter, 

- and wherein step (f) is supplemented by the step of 

(f) updating the memory chip card for the next transaction by recording, in the 
memory, the new authentication certificate CA 2 calculated according to the step (e'). 
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3 . (Amended) A method according to Claim 2 wherein step (b) comprises the 
following steps: 

- first calculating, in the terminal, a session key according to a cryptographic 
function of a number of variables comprising at least a parent key known by the 
terminal, the code CSN identifying the memory chip card and the value of said counter, 

- next calculating, in the terminal, the secret code CSQ according to the 
cryptographic function F of the session key K^, 

and wherein step (e) comprises: 

- first calculating, in the terminal, a new session key according to the 
cryptographic function F ks with the new value of said counter, 

- next calculating, in the terminal, the new secret code CSC 2 according to the 
cryptographic function F of the new session key K^. 

4. (Amended) A method according to Claim 3 wherein step (e') includes the 
step of calculating the new authentication certificate CA 2 according to the cryptographic 
function G of the new session key K^. 

5. (Amended) A method according to claim 1 wherein the memory chip card 
comprises two counters, one counting the authentications and the other counting payment 
transactions, and wherein the variables of the cryptographic functions comprise the values 
of said counters. 
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6. (Amended) A method according to claim 1 wherein the cryptographic 
functions are one-way functions. 

7. (Amended) A method according to Claim 6, wherein the cryptographic 
functions are "hashing" functions. 

8. (Amended) A method according to claim 3, wherein step (b) comprises the 
following steps: 

(bj) reading the serial number CSN of the card, 
(b 2 ) reading the content of the counter, and 

(b 3 ) calculating the session key according to a cryptographic function F ks 
such that: 

K Sl =F ks (K m , CSN, CTC,). 

9. (Amended) A method according to claim 1, wherein step (c) comprises the 
following steps: 

(q) transmitting the secret code CSC t to the card, 

(c 2 ) comparing, in the card, this secret code CSQ with a secret code CSC 0 
recorded in the card at the end of the previous transaction with the card, and 

(c 3 ) authorizing the remainder of the operations if the comparison indicates 
the identity CSC 0 = CSC, or refusing same if CSC 0 is not equal to CSQ. 
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10. (Amended) A method according to claim 2, wherein step (y) comprises the 
following steps: 

(y t ) reading the content CA 0 of a designated area of the memory of the card 

CM, 

(y 2 ) transmitting, to the terminal, the content CAq of said area which 
corresponds to an Authentication Certificate C A 0 calculated at the end of the 
previous transaction, 

(y 3 ) comparing, in the terminal, the calculated Authentication Certificate 
CAj with the certificate CA 0 , and 

(y 4 ) authorizing the remainder of the operations if the comparison indicates 
the identify CA! = CA 0 . 

11. (Amended) A method according to claim 1, wherein step (d) comprises the 
following steps: 

(dj) reading, from an area of the memory, the value BAL 0 of a balance 
resulting from the previous transaction and a corresponding certificate CBAL 0 , and 

(d 2 ) verifying that the certificate CBAL 0 correctly corresponds to the result 
of the cryptographic function such that: 

CBAL 0 = H (IQ, BAL 0 , CSN, CTCJ, 

- Kt being a transaction key, 

(d 3 ) incrementing the transaction counter to the value (CTQ + 1) = CTC 2 . 
(d 4 ) recording the new balance BALj in said area, 
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(d 5 ) calculating a Certificate CBALj for the new balance BAI^ such that: 
CBALj = H (K,, BAL 1; CSN, CTQ), and 
(d 6 ) recording CBAI^ in said area. 

12. (Amended) A method according to claim 1 wherein step (a) also comprises a 
step of entering a personal code of the user. 

13 . (Amended) A method according to claim 3 , wherein in step (b), one of the 
variables used for calculating the session key Ks! is a personal code PIN of the user. 

Add the following new claims: 

14. (New) A method according to Claim 1 wherein step (b) comprises the 
following steps: 

- first calculating, in the terminal, a session key according to a cryptographic 
function F ks of a number of variables comprising at least a parent key known by the 
terminal, the code CSN identifying the memory chip card and the value of said counter, 

- next calculating, in the terminal, the secret code CSC! according to the 
cryptographic function F of the session key K^, 

and wherein step (e) comprises: 

- first calculating, in the terminal, a new session key K, 2 according to the 
cryptographic function F te with the new value of said counter, 
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- next calculating, in the terminal, the new secret code CSC 2 according to the 
cryptographic function F of the new session key K^. 

15. (New) A method according to claim 14, wherein step (b) comprises the 
following steps: 

(bj reading the serial number CSN of the card, 
(bj) reading the content of the counter, and 

(b 3 ) calculating the session key according to a cryptographic function F ks 
such that: 

K Sl = F ta (K™, CSN, CTQ). 
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REMARKS 

Entry of the foregoing amendment is respectfully requested. This amendment is 
intended to place the claims in a more conventional format and eliminate the multiple 
dependency of the claims. 

Respectfully submitted, 



Burns, Doane, Swecker & Mathis, l.l.p. 




James A. LaBarre 
Registration No. 28,632 



P.O. Box 1404 

Alexandria, Virginia 22313-1404 
(703) 836-6620 



Date: May 11, 2001 
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Attachment to Preliminary Amendment dated May 11, 2001 
Marked-up Claims 1-13 
1. (Amended) An authenticating method between a memory chip card [(CM)] 
having at least one counter [(CE, CT)] and a terminal [(TE), characterised in that it 
comprises] , comprising the following steps [consisting of] : 

(a) inserting the memory chip card [(CM)] into the terminal [(TE)], 

(b) calculating, in the terminal, a secret code CSC! according to a cryptographic 
function F of a number of variables comprising at least a code CSN identifying the memory 
chip card and the value [(CTE^ CTCj)] of said counter [(CE, CT)], 

(c) authenticating the terminal by the card when the calculated secret code CSQ is 
identical to a code CSC 0 recorded in [the] a memory of the card at the end of [the] a 
previous authentication [according to the] operation [(f) below] , 

(d) carrying out [the planned] a desired transaction and modifying the value 
[(CTE 2 , CTC 2 )] of said counter [(CE, CT)], 

(e) calculating, in the terminal [(TE)], a new secret code CSC 2 according to the 
cryptographic function F of the code CSN identifying the memory chip card [(CM)] and the 
new value [(CTE^ CTC 2 )] of said counter [(CE, CT)], 

(f) updating the memory chip card [(CM)] for the next transaction by recording, in 
[the] said memory [(M)], the new secret code CSC 2 calculated by the operation (e). 



2. (Amended) A method according to Claim 1, [characterised: 
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Attachment to Preliminary Amendment da ted Mav 11. 2001 
Marked-up Claims 1-13 

in that it comprises] further including the following [supplementary] steps 
between the steps (c) and (d) [consisting of]: 

(x) calculating, in the terminal [(TE)], an authentication certificate CAj according 
to a cryptographic function G of a number of variables comprising at least the code CSN 
identifying the memory chip card and the value [(CTE l5 CTQ)] of the counter [(CE, CT)], 

(y) authenticating the card [(CM)] by the terminal [(TE)] when the calculated 
authentication certificate CA X is identical to a certificate CA 0 calculated and recorded at the 
end of the previous transaction [according to the steps (e') and (f) below: 

- in that the] , and wherein step (e) is supplemented by the [following] step 
[consisting] of[:] 

(e') calculating, in the terminal [(TE)], a new authentication certificate CA 2 
according to the cryptographic function G of the code CSN identifying the memory chip 
card and the new value [(CTE 2 , CTC 2 )] of said counter [(CE, CT)], 

- and [in that the] wherein step (f) is supplemented by the [following] step 
[consisting] of[:] 

(f) updating the memory chip card [(CM)] for the next transaction by recording, in 
the memory [(M)], the new authentication certificate CA 2 calculated according to the step 
(e'). 



3. 



(Amended) A method according to Claim [1, characterised: 
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Attachment to Preliminary Amendment dated May 11. 2001 
Marked-up Claims 1-13 

- in that the step (b) consists of:] 2 wherein step (b) comprises the following steps: 

- first calculating, in the terminal [(TE)], a session key according to a 
cryptographic function of a number of variables comprising at least a parent key 
known by the terminal [(TE)], the code CSN identifying the memory chip card [(CM)] and 
the value [(CTEj, CTQ)] of said counter [(CE, CT)], 

- next calculating, in the terminal [(TE)], the secret code CSQ according to the 
cryptographic function F of the session key K^, 

[- in that the step (e) consists of:] and wherein step (e) co mprises: 

- first calculating, in the terminal [(TE)], a new session key K s2 according to the 
cryptographic function F ks with the new value [(CTEj, CTC 2 )] of said counter [(CE, CT)], 

- next calculating, in the terminal [(TE)], the new secret code CSC, according to the 
cryptographic function F of the new session key K^. 

4. (Amended) A method according to Claim [2 and 3, characterised in that: 

- the step (e') consists] 3 wherein step (e'> includes the step of calculating the new 
authentication certificate CA 2 according to the cryptographic function G of the new session 
key K^. 

5. (Amended) A method according to [any one of the previous Claims 1 to 4, 
in its application to a] claim 1 wherein the memory chip card [(CM) comprising] comprises 
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Attachment to Preliminary Amendment dated Mav 11. 2001 



Marked-up Claims 1-13 



two counters, one [(CE)] counting the authentications and the other [(CT)] counting [the] 
payment transactions, [characterised in that] and wherein the variables of the cryptographic 
functions [F, G and FJ comprise the values [(CTE l5 CTE 2 , CTC 1; CTC 2 )] of said 



6. (Amended) A method according to [one of the previous claims, 
characterised in that] claim 1 wherein the cryptographic functions [F, G and F J are one- 
way functions. 

7. (Amended) A method according to Claim 6, [characterised in that] wherein 
the cryptographic functions [F, G and FJ are "hashing" functions. 

8. (Amended) A method according to [one of the previous Claims 3 to 7, 
characterised in that the] claim 3. wherein step (b) comprises the following steps [consisting 
of]: 



counters. 



(bi) reading the serial number CSN of the card [(CM)], 



(b 2 ) reading the content [(CT^ and/or CTQ)] of the counter, and 
(b 3 ) calculating the session key according to a cryptographic function F 4 



ks 



such that: 



KSj 



h = CSN, CTC,). 
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Attachment to Preliminary Amendment da ted Mav 11. 2001 
Marked-up Claims 1-13 

9. (Amended) A method according to [one of Claims 1 to 8, characterised in 
that the] claim 1. wherein step (c) comprises the following steps [consisting of]: 

(q) transmitting the secret code CSQ to the card [CM], 

(c 2 ) comparing, in the card, this secret code CSQ with a secret code CSC 0 

recorded in the card [CM] at the end of the previous transaction with the card, and 
(c 3 ) authorizing the remainder of the operations if the comparison indicates 

the identity CSC 0 = CSCj or refusing same [in the contrary case] if CSC 0 is not 

equal to CSC t . 

10. (Amended) A method according to [one of Claims 2 to 9, characterised in 
that the] claim 2. wherein step (y) comprises the following steps [consisting of]: 

(yO reading the content CA 0 of [the area ZCA] a designated area of the 
memory of the card CM, 

(y 2 ) transmitting, to the terminal [(TE)], the content CA 0 of [this area ZCA] 
said area which corresponds to an Authentication Certificate CA 0 calculated at the 
end of the previous transaction, 

(y 3 ) comparing, in the terminal [TE], the calculated Authentication 
Certificate CA 1 with the certificate CAq, and 

(y 4 ) authorizing the remainder of the operations if the comparison indicates 
the identify CA! = CA 0 . 
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Attachment to Preliminary Amendment dated M av 11. 2001 
Marked-up Claims 1-13 

11. (Amended) A method according to [one of Claims 1 to 10, characterised in 
that the] claim 1. wherein step (d) comprisesf, in the case of modification of the balance 
BAL 0 ,] the following steps [consisting of]: 

(dj) reading, from an area [ZBAL] of the memory [(M)], the value BAL 0 of 
[the] a balance resulting from the previous transaction and [the] a corresponding 
certificate CBAL 0 , and 

(dj) verifying that the certificate CBAL 0 correctly corresponds to the result 
of the cryptographic function such that: 

CBAL 0 = H (K,, BAL 0 , CSN, CTCJ, 

- K, being a transaction key, 

(d 3 ) incrementing the transaction counter to the value (CTCi + 1) = CTC 2 . 

(d 4 ) recording the new balance BAL X in [the] said area [ZBAL], 

(d 5 ) calculating a Certificate CBAL t for the new balance BALj such that: 

CBAL; = H (Kt, BALj, CSN, CTC 2 ), and 

(d 6 ) recording CBALj in [the] said area [ZBAL]. 

12. (Amended) A method according to [one of the previous Claims 1 to 11, 
characterised in that: 

- the] claim 1 wherein step (a) also comprises a step of entering [the] a personal 
code [PIN] of the user. 
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Attachment to Preliminary Amendment dated M ay 11. 2001 
Marked-up Claims 1-13 

13. (Amended) A method according to [one of the previous Claims 3 to 12, 
characterised in that: 

- in the] claim 3. wherein in step (b), one of the variables used for calculating the 
session key. Ks x is [the] a personal code PIN of the user. 
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AUTHENTICATING METHOD BETW E EN A SMART CARD AND A 
TERMINAL 

The invention concerns memory chip cards and the 
terminals to which they are capable of being connected 
from time to time and, more particularly, a method 
which enables the memory chip card and the terminal to 
authenticate one another. 

Memory chip cards, on account of their not having 
a microprocessor, cannot use an authentication 
algorithm which involves calculations. However, 
certain memory chip cards use an algorithm in hard- 
wired form which allows the so-called "active" 
authentication of the card by the terminal but not the 
reverse authentication of the terminal by the card. 
Owing to their low cost, memory chip cards are used a 
great deal in many applications such as loyalty cards, 
access control, charge card payments, etc. However, 
owing to the lack of authentication, their security in 
use is vulnerable so that microprocessor cards are 
sometimes preferred to them for certain applications. 
But these microprocessor cards have a distinctly higher 
cost, which becomes increasingly higher as the 
authentication algorithm becomes more developed, which 
leads to them being ruled out for inexpensive 
applications. Also, the aim of the present invention 
is to obtain security in use of memory chip cards . 

This aim is achieved by using an authentication 
method in which all the algorithmic calculations are 
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performed by the terminal to which the memory chip card 
is connected. 

Furthermore, the operations relating to 
authentication are performed before the start of a 
transaction proper and after the end of this 
transaction with a view to the authentication at the 
start of the following transaction. 

The invention therefore concerns an 

authenticating method between a memory chip card having 
at least one counter and a terminal, characterised in 
that it comprises the following steps consisting of: 

(a) inserting the memory chip card into the 
terminal , 

(b) calculating, in the terminal, a secret code 
CSCi according to a cryptographic function F of a number 
of variables comprising at least a code CSN identifying 
the memory chip card and the value of said counter, 

(c) authenticating the terminal by the card when 
the calculated secret code CSCi is identical to a code 
CSC 0 recorded in the memory at the end of the previous 
authentication according to the operation (f) below, 

(d) carrying out the planned transaction and 
modifying the value of said counter, 

(e) calculating, in the terminal, a new secret 
code CSC 2 according to the cryptographic function F of 
the code CSN identifying the memory chip card and the 
new value of said counter, 

(f) updating the memory chip card for the next 
transaction by recording, in the memory, the new secret 
code CSC 2 calculated by the operation (e) . 
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In order to obtain authentication of the card by 
the terminal, the method comprises the following 
supplementary steps between the steps (c) and (d) 
consisting of: 

(x) calculating, in the terminal, an 
authentication certificate CA X according to a 
cryptographic function G of a number of variables 
comprising at least the code CSN identifying the memory 
chip card and the value of said counter, 

(y) authenticating the card by the terminal when 
the calculated authentication certificate CA X is 
identical to *a certificate CA 0 calculated and recorded 
in the card at the end of the previous transaction 
according to the steps (e') and (f) below: 

- in that the step (e) is supplemented by the 
following step consisting of: 

(e') calculating, in the terminal, a new 
authentication certificate CA 2 according to the 
cryptographic function G, 

- and in that the step (f) is supplemented by the 
following step consisting of: 

(f) updating the memory chip card for the next 
transaction by recording, in the memory, the new 
authentication certificate CA 2 calculated according to 
the step (e' ) . 

Other characteristics and advantages of the 
present invention will emerge from a reading of the 
following description of a particular embodiment, said 
description being given with reference to the 
accompanying drawing in which: 
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- Figure 1 is a simplified diagram of a memory 
chip card, and 

- Figure 2 is a chart showing the operations 
performed between the terminal and the memory chip card 
during a transaction. 

The method of the invention applies (Figure 1) to 
a memory chip card CM which of course comprises a 
memory M but also a so-called transaction counter CT 
which counts the transactions performed between the 
card CM and a terminal TE to which the card is 
connected by insertion. 

The memory chip card CM can also comprise a 
second so-called authentication counter CE which counts 
the authentication requests, these authentication 
requests possibly occurring at any time during a 
transaction and independently thereof. 

These two counters CE and CT can form part of the 
memory M according to known devices. 

In addition, the memory M of the card comprises a 
first area with unprotected read access in which there 
is recorded, for example the serial number CSN of the 
card in a part ZCSN, and a second area with protected 
access for the rest of the memory, this second area 
having parts which are allocated to the recording of 
particular values such as an Authentication Certificate 
CA in the part ZCA and a balance BAL and its 
authentication certificate CBAL in the part ZBAL . 

A third area ZCSC is reserved for the recording 
of a secret code CSC and its access for recording is 
subject to presentation of the secret code CSC. 
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The memory M is addressed by an addressing 
circuit ADR and the two-way transmission of signals 
between the terminal TE and the card CM takes place by 
means of an interface circuit INT. 

Furthermore, the card comprises a comparator CP 
which compares the code CSC read from the part ZCSC 
with a code supplied by the terminal TE, the result of 
the comparison allowing or not allowing the addressing 
of the protected area of the memory M. 

The method according to the invention will be 
described within the context of a mutual authentication 
between the card and the terminal using the transaction 
counter CT alone and so-called one-way cryptographic 
functions but the method of the invention can also 
apply to authentication of the terminal by the card 
alone, and to simultaneous use of the two counters CE 
and CT and cryptographic functions other than one-way 
ones. The various operations, notably cryptographic 
operations, can be carried out either in the terminal 
TE, or in a security module, or even in a remote 
device . 

Preferably, the mutual authentication method 
according to the invention comprises the following 
steps consisting of: 

(m) inserting the card CM into the terminal TE, 
this step possibly including the presentation of a 
personal code PIN of the card user, 

(n) calculating, in the terminal TE, a session 
key Ksi by: 



(ni) reading the serial number CSN of the card 

CM, 

(n 2 ) reading the content CTCi of the 
transaction counter CT of the card CM, and 

(n 3 ) calculating a session key Ksi according 
to a one-way cryptographic function F ks such that: 
Ksi = F ks (Km, CSN, CTd) 

Km being a parent key recorded in the 
terminal TE, 

- F ks being for example a function of the 
hashing type, 

(o) calculating, in the terminal TE, a secret 
code CSCi of the card using a cryptographic function F 
such that : 

CSCi = F(Ksi) , 

(p) authenticating the terminal TE by the card CM 

by: 

(pi) transmitting the secret code CSCi to the 
card CM, 

(p 2 ) comparing, in the comparator CP, this 
secret code CSCi with a secret code CSC 0 recorded in 
the card CM at the end of the previous transaction 
with the card, and 

(p 3 ) authorizing the remainder of the 
operations if the comparison indicates the identity 
CSC 0 = CSCi or refusing same in the contrary case; 
(q) calculating, in the terminal TE, an 
Authentication Certificate CA X such that: 
CAi = G(KSi) 

- G being a cryptographic function, and 
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(r) authenticating the card CM by the terminal TE 

by: 

(ri) reading the content CA 0 of the area ZCA 
of the memory of the card CM, 

(r 2 ) transmitting, to the terminal TE, the 
content CA 0 of this protected area ZCA which 
corresponds to an Authentication Certificate CA 0 
calculated at the end of the previous transaction, 

(r 3 ) comparing, in the terminal TE, the 
calculated Authentication Certificate CAi with the 
certificate CA 0 , and 

(r 4 ) authorizing the remainder of the 
operations if the comparison indicates the identity 
CAi = CA 0 ; 

(s) carrying out the transaction, this 
transaction possibly consisting for example of updating 
a memory area ZBAL indicating the state of the credit 
or balance BAL remaining in the card CM by: 

(si) reading, from the area ZBAL, the value 
BAL 0 of the balance resulting from the previous 
transaction and the corresponding certificate CBAL 0 , 
(s 2 ) verifying that the certificate CBAL 0 
correctly corresponds to the result of the 
cryptographic function such that : 

CBALo = H (K t , BAL 0 , CSN, CTd) , 
- K t being a transaction key, 

(s 3 ) incrementing the transaction counter to 
the value (CTCi + 1) = CTC 2 

(s 4 ) recording the new balance BALi in the 
area ZBAL, 
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(s s ) calculating a Certificate CBALi for the 
new balance BALi such that: 

CBALi = H(K t , BALi, CSN, CTC 2 ) , and 
(s 6 ) recording CBALi in the area ZBAL; 
(t) updating the card CM for the next transaction 
with a new secret code CSC 2 and a new certificate CA 2 , 
by 

(ti) calculating in the terminal TE : 

- the future session key Ks 2 such that: 
Ks 2 = FdQn, CSN, CTC 2 ) 

- the future secret code CSC 2 such that : 
CSC 2 = F(Ks 2 ) , 

the future authentication certificate CA 2 
such that : 

CA 2 = G(Ks 2 ) , 

(t 2 ) recording the secret code CSC 2 in the 
memory M of the card CM in the protected area and 
the authentication certificate CA 2 in the protected 
area ZCA. 

The invention has been described with a 
particular embodiment in which the transaction is an 
operation on the balance value of the card; however, 
the invention applies to any other transaction 
according to the applications provided for the card 
under consideration. 

In this particular example, the transaction ends 
with an incrementing of the transaction counter CT to a 
value CTC 2 which is usually equal to (CTCi + 1) . 
However, this value of CTC 2 can be different from (CTCi 
+ 1) and be equal, for example, to (CTCi + 3) . 
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This transaction counter must be incremented or 
decremented at each transaction even if the operation 
leads to the balance not being changed; in this case, 
it is necessary to perform the transaction by re- 
recording the unchanged balance but the certificate 
CBALi will be different since the transaction counter 
will have been incremented. The same will apply for 
the new secret code CSC 2 and the certificate CA 2 . 

The variables of the functions F, G and F ks which 
have been adopted in the example are the parent key, 
the serial number CSN and the value CTC of the 
transaction counter. However, additional variables can 
be used such as the personal code PIN of the card user, 
this code being entered into the terminal after 
insertion of the card. 

The invention has been described within the 
context of a card/terminal mutual authentication but it 
applies more generally first to an authentication of 
the terminal by the card, this first authentication 
possibly being followed or not followed by an 
authentication of the card by the terminal, the set of 
these two authentications making a mutual 
authentication. 

The example described uses cryptographic 
functions F, G and F ks using variables such as a parent 
key Kb, a session key K s and a transaction key K t , but 
such keys are not necessary for implementing the 
invention. 

The value of the authentication counter CE is 
preferably used for calculating the secret code CSN 
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while the value of the transaction counter CT is 
preferably used for calculating the authentication 
certificate CA. 



11 



CLAIMS 

1. An authenticating method between a memory 
chip card (CM) having at least one counter (CE, CT) and 
a terminal (TE) , characterised in that it comprises the 
following steps consisting of: 

(a) inserting the memory chip card (CM) into the 
terminal (TE) , 

(b) calculating, in the terminal, a secret code 
CSCi according to a cryptographic function F of a number 
of variables comprising at least a code CSN identifying 
the memory chip card and the value (CTE lf CTd) of said 
counter (CE, CT) , 

(c) authenticating the terminal by the card when 
the calculated secret code CSCi is identical to a code 
CSC 0 recorded in the memory at the end of the previous 
authentication according to the operation (f) below, 

(d) carrying out the planned transaction and 
modifying the value (CTE 2 , CTC 2 ) of said counter (CE, 
CT) , 

(e) calculating, in the terminal (TE) , a new 
secret code CSC 2 according to the cryptographic function 
F of the code CSN identifying the memory chip card (CM) 
and the new value (CTE 2 , CTC 2 ) of said counter (CE, CT) , 

(f) updating the memory chip card (CM) for the 
next transaction by recording, in the memory (M) , the 
new secret code CSC 2 calculated by the operation (e) . 

2. A method according to Claim 1, characterised: 
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in that it comprises the following 
supplementary steps between the steps (c) and (d) 
consisting of: 

(x) calculating, in the terminal (TE) , an 
authentication certificate CAi according to a 
cryptographic function G of a number of variables 
comprising at least the code CSN identifying the memory 
chip card and the value (CTEi, CTd) of the counter (CE, 
CT) , 

(y) authenticating the card (CM) by the terminal 
(TE) when the calculated authentication certificate CAi 
is identical to a certificate CA 0 calculated and 
recorded at the end of the previous transaction 
according to the steps (e') and (f) below: 

- in that the step (e) is supplemented by the 
following step consisting of: 

(e') calculating, in the terminal (TE) , a new 
authentication certificate CA 2 according to the 
cryptographic function G of the code CSN identifying 
the memory chip card and the new value (CTE 2 , CTC 2 ) of 
said counter (CE, CT) , 

- and in that the step (f) is supplemented by the 
following step consisting of: 

(f) updating the memory chip card (CM) for the 
next transaction by recording, in the memory (M) , the 
new authentication certificate CA 2 calculated according 
to the step (e' ) ■ 

3. A method according to Claim 1, characterised: 

- in that the step (b) consists of: 
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- first calculating, in the terminal (TE) , a 
session key K si according to a cryptographic function F ks 
of a number of variables comprising at least a parent 
key Km known by the terminal (TE) , the code CSN 
identifying the memory chip card (CM) and the value 
(CTE lf CTCi) of said counter (CE, CT) , 

- next calculating, in the terminal (TE) , the 
secret code CSCi according to the cryptographic function 
F of the session key K s i, 

- in that the step (e) consists of: 

- first calculating, in the terminal (TE) , a new 
session key K s2 according to the cryptographic function 
F ks with the new value (CTE 2/ CTC 2 ) of said counter (CE, 
CT) , 

- next calculating, in the terminal (TE) , the new 
secret code CSC 2 according to the cryptographic function 
F of the new session key K s2 . 

4 . A method according to Claim 2 and 3 , 
characterised in that: 

- the step (e') consists of calculating the new 
authentication certificate CA 2 according to the 
cryptographic function G of the new session key K s2 . 

5 . A method according to any one of the previous 
Claims 1 to 4 , in its application to a memory chip card 
(CM) comprising two counters, one (CE) counting the 
authentications and the other (CT) counting the payment 
transactions, characterised in that the variables of 
the cryptographic functions F, G and F ks comprise the 
values (CTEi, CTE 2 , CTd, CTC 2 ) of said counters. 
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6. A method according to one of the previous 
claims, characterised in that the cryptographic 
functions F, G and F ks are one-way functions. 

7. A method according to Claim 6, characterised 
in that the cryptographic functions F, G and F ks are 
"hashing" functions. 

8. A method according to one of the previous 
Claims 3 to 7, characterised in that the step (b) 
comprises the following steps consisting of: 

(bi) reading the serial number CSN of the card 

(CM) , 

(b 2 ) reading the content (CTE X and/or CTCi) of 
the counter, and 

(b 3 ) calculating the session key according to 
a cryptographic function F ks such that: 

Ksi = F ks (K m , CSN, CTCi) . 

9. A method according to one of Claims 1 to 8 , 
characterised in that the step (c) comprises the 
following steps consisting of: 

(ci) transmitting the secret code CSCi to the 
card CM, 

(c 2 ) comparing, in the card, this secret code 
CSCi with a secret code CSC 0 recorded in the card CM 
at the end of the previous transaction with the 
card, and 

(c 3 ) authorizing the remainder of the 
operations if the comparison indicates the identity 
CSC 0 = CSCi or refusing same in the contrary case. 
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10. A method according to one of Claims 2 to 9, 
characterised in that the step (y) comprises the 
following steps consisting of: 

(y x ) reading the content CA 0 of the area ZCA 
of the memory of the card CM, 

(y 2 ) transmitting, to the terminal (TE) , the 
content CA 0 of this area ZCA which corresponds to an 
Authentication Certificate CA 0 calculated at the end 
of the previous transaction, 

(y 3 ) comparing, in the terminal TE, the 
calculated Authentication Certificate CAi with the 
certificate CA 0 , and 

(y 4 ) authorizing the remainder of the 
operations if the comparison indicates the identity 
CAi = CA 0 . 

11. A method according to one of Claims 1 to 10, 
characterised in that the step (d) comprises, in the 
case of modification of the balance BAL 0 , the following 
steps consisting of: 

(di) reading, from an area ZBAL of the memory 
(M) , the value BAL 0 of the balance resulting from 
the previous transaction and the corresponding 
certificate CBAL 0 , and 

(d 2 ) verifying that the certificate CBAL 0 
correctly corresponds to the result of the 
cryptographic function such that: 

CBALo = H(K t , BAL 0 , CSN, CTd), 

- K t being a transaction key, 

(d 3 ) incrementing the transaction counter to 
the value (CTd + 1) = CTC 2 
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(d 4 ) recording the new balance BAL X in the 
area ZBAL, 

(d 5 ) calculating a Certificate CBALx for the 
new balance BALi such that: 

CBALi = H (K t , BALi, CSN, CTC 2 ) , and 
(d s ) recording CBALi in the area ZBAL. 

12 . A method according to one of the previous 
Claims 1 to 11, characterised in that: 

- the step (a) also comprises a step of entering 
the personal code PIN of the user. 

13 . A method according to one of the previous 
Claims 3 to 12, characterised in that: 

- in the step (b) , one of the variables used for 
calculating the session Ksi is the personal code PIN of 
the user. 
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